GDPR

GDPR section covers a number of topics:

All these components are mandatory and will also be part of the GDPR Assessment to check if all is in place.

In the overview of Stakeholder & Legal requirements you have probably added a more then once GDPR in relation to your stakeholders. ISO27001 requires you to address all the above topics

image-1643553974665.png

Please find below more information about the legal base choices. 

  1. Consent: The data subject has freely given consent for their information to be processed for a specific purpose. Tacit consent is not enough. You must be able to demonstrate that you have received valid permission from people to process their personal data. Withdrawing consent should be as easy as giving it. You must also inform the author of this right. After withdrawing the consent, you must stop processing the relevant data. You cannot then use any other basis to process the data.
  2. Execution of an agreement:  You may process Personal Data for the execution of an agreement. For example, recording name and address details to be able to deliver an ordered product to your customer’s home. This data may only be used for that purpose. You may not use this information later to send your customer a newsletter. You need permission again for this.
  3. Legal obligation: Sometimes you have to record personal data to comply with a legal obligation. An employer must record the personal data of employees and pass it on to, for example, the Tax and Customs Administration. Without the employee’s permission, the data may not be passed on to an organization for which there is no legal obligation. Again permission is required.
  4. Vital interest: In emergencies, when it comes to health or danger to life, the processing of personal data by care providers may be justified. This basis can only be used if it is really not possible to obtain permission.
  5. General interest: You may process personal data under this basis if it concerns another legal provision in which the purpose of the processing is also described.
  6. Legitimate interest: Personal data may be processed to represent a legitimate interest. The “legitimate interest” does not apply if the rights of the persons concerned outweigh. It may be a legitimate interest if there is a relevant and appropriate relationship between an organization and its customers. A legitimate interest may include processing login names and passwords for network security. The organization must be open about its legitimate interest. Data subjects can object to the processing of personal data on the grounds of legitimate interest

When you have chosen your legal basis you will need to add:

  • If you are Data Controller or Data Processor. High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some case you can be both. 
  • Add the country that you collect the data and the Data Protection Authority 
  • https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm use this link for total overview all all data Protection Authorities in Europe. 


User Documentation
 : Overview of all documentation for Users 

image-1643554610332.png

Use this section to store our lates versions of End-User documentation and keep track of versioning. End-User are consumers – the target subjects of the GDPR. There are a number of End-User Documentation:

  • Internal Privacy Policy – specific for your internal organization (team members)
  • External Privacy Policy – specific privacy rules for the End-users making use of your product/service
  • Cookie Policy – mandatory if you have a Website – explanation about cookies and the reason for use (remeber you always will use a minimum set of cookies)
  • Terms of Use – specific service rules for the End-user while making use of your product/service

Depending on your product/service you will have end-user documentation in place. 

Checklist for your external privacy policy, topics to address:

  • your company details
  • the purpose of the data capture and legal basis
  • what data you collect
  • to whom you may pass on the data
  • how long you keep the data
  • the security you have applied to the recorded personal data
  • the right to inspect, correct, delete, and trasner your own data (data portibility)
  • the right to withdraw consent
  • the right to file a complaint
  • address how you ask for Consent

image-1643555509109.png

Review on a yearly base is needed – add your document and on a yearly base you will review and add small content on the changes made. Approvals on C-level can be added as evidence. 

User GDPR Right Requests : Your register to keep track of End-Users requests e.g. data deletion

image-1643555617733.png

Data rights requests are requests from end-users to make use of one of the GDPR rights: withdraw consent, inspect, correct, delete, and transfer the data (data portability). If you have a B2B product, you will probably not be responsible for the registration of the data rights requests – and your customer wants to stay in charge of that.

However prepare yourself for the request – of your customer – if you will need to execute these rights. You will need to setup a End-user Data Rights Request Procedure – template in the Documentation Kit. This will also be part of the MSA (Master Service Agreement) that you will sign with your customers. The Procedure can be added in this section Procedure/Info. 

In any case, if you will receive a request from an End-User of your product/service – this is the section where you register them and add evidence for it – in case the Data Protection Authority will file a request for information. 

What to register:

  • Request from (name of the End-User)
  • Project (or customer)
  • Request Date
  • The GDPR Right type (drop down list)
  • In progress-closed (to remind you)
  • End date ( fill in when you close)
  • Link to tech job (link to ticket of TechTeam, with evidence of e.g. deletion)
  • Make use of extra fields if needed (add evidence)

Data Breaches : Your overview of all data breaches

First you will need to start with defining your Data Breach Procedure – template in Documentation Template Kit. Once finalized – add to this section in Procedure/Info part. 

Be careful with classifying an event as a data breach; especially in conversations with clients and team members. Make sure that for all team members it is clear that only the Data Protection Officer (DPO) can classify an event as a data breach. There are strict rules on the definition of Data Breaches – please check link below for Dutch Data Protection Authority (or use the once from other EU countries). https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/policy_rules_data_breach_notification_obligation.pdf

Once that is being done – the timing for 72 hours reporting to Data Protection Authorities will need to be done. In your SLA or T&C with your customer(s) the timing for communicating data breaches is described. 

It is important that for your team – who are in charge of monitoring systems, support tickets – it is clearly defined what is an event, what is an incident and what is a data breach. C-level will always need to be notified in case of data breach, because this can have serious impact on the business and external communication will need to be involved. 

In the template Data Breach Procedure, you can find steps to follow in case of data breach. 

image-1643556698610.png

Per data breach you will document the the process and the DPO is responsible for this. Make sure the improvements defined are also translated in actual improvement  

Data breaches belong to the overview of security metrics so they will be discussed and followed up by ISMS Team during security meetings. 

DPA Overview : Your overview of all Data Process Agreements with (customers, suppliers etc.)

In Compleye Online we do not store signed contracts between your organization and other stakeholders, the exception are the DPA’s – Data Process Agreements. As they contain no other confidential information other then data protection rules agreed upon. 

We advise in your DPA always to mention that when commercial contract expires, the DPA also will expire, so that you will not have to keep track of end dates for the DPA. 

For a small sized B2B companies the DPA can also be part of a commercial contract (MSA/SLA) and therefore not needed to be added to this section. In case there are special agreements made between you and your customer, you will either adopt extra security or privacy activities as your own, or mention them in Global Impact section. 

If you do sign separate DPA’s with your customers, partners and/or suppliers. you can file them here and keep track of special articles – or keep track of closing dates of these contracts (by added extra fields). 

Make sure that the template is part of your Contract section 

image-1643557658916.png

Type of DPA : you can add the name of the template (e.g. supplier, partner, customer)
Contract Party : name of other company
Remarks : add e.g. content that is not part of template – additional agreements
Date Signed : closing date
And add the actual DPA as evidence
Use extra fields if needed, if you want to keep track of additional information. 

Field Value / Description Example
Legal Basis Select from the drop down menu the legal basis that you applies to your organisation  Consent
Role Select a button field – If you are Data Controller, Data Processor or both.  High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some case you can be both.  Data Controller
Country of data collection  free text field – write name of the country The Netherlands
Data Protection Authority  free text field  Dutch data protection Authority

User Documentation – Add new

Field Value / Description Example
Type of End User Document Select from the drop down menu the type of end user document you would like to list Internal Privacy Policy
Languages free text field – in which languages is the documentation published Dutch, English
Remarks free text field – any additional notes none

User GDPR Rights Request – Add new

Field Value / Description Example
Request from free text field – from which party/customer/supplier is the request coming from  supplier
Project free text field – area of business the request is coming from  SuperCool Fremium 2022
Request date calendar – select the date the request came in 1st of February 2022
Status select the button – request is in progress or closed closed
End Date calendar – select the date the request was closed 2nd of February 2022
Link to tech job free text field to paste the link related to the request  

Data Breaches – Add new

Field Value / Description Example
Data breach description free text field Hacker attack 
Date calendar – select the date that the breach incident took place  3rd of May 2020
Data breach report link free text field – add the link 
+ upload a document
 
How it was handled free text field within 18 hours evaluation with customer, within 72 hours reported to authorities
Improvements made free text field automated monitor procedure
Status select the button – data breach handling is in progress or closed in progress

DPA Overview – Add new

Field Value / Description Example
Type free text field – you can add the name of the template (e.g. supplier, partner, customer) Supplier DPA
Contract party  free text field – name of other company  Blowaway
Remarks free text field – add eg content that is not part of the template – additional agreement for example Used our own template
Date signed calendar – select the date of the closing date 11th July 2021
DPA documents  add the actual DPA as evidence  
Use extra field if needed    

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.